Re: ICP proxy for Firewall

From: Marc van Selm <marc.van.selm@dont-contact.us>
Date: Tue, 21 Oct 1997 08:31:58 +0100

At 06:50 PM 10/20/97 +0200, tgraff@esoc.esa.de wrote:

>Hello,
>
>I am looking for an ICP proxy for our Firewall. We're using the Tis
>Gauntlet software here, which is the full version of the Tis Firewall
>toolkit. This may be not the right forum for Firewall issues, but I've seen
>form the recent messages to this list, a lot of people using their Squid
>cache servers along with Firewalls, especially the tis toolkit.
.. deleted ...

This might be very useful but TIS told us UDP is not something they want to
support. It is possible to set up a "UDP-tunnel" though the FW "but people
who do this will get on the black list" (Quote from one of the tech's who
came to set up an initial evaluation system) The main problem (their main
problem) was that they couldn't keep a good Connection-state. (I think this
should be possible but requires understanding of the Higher layer protocol
completed with time-outs)

Judging from TIS' comments I don't think this will be included in their kit
and they will not support others to build one.

A few solutions (I think)

1) make it your self (mmmm)
2) Use proxy-autoconfig from an internal www-server and list all
internal/external servers in your domain (off-site per default via proxy)
3) Create separate domains for internal/external (mmm)
4) Have an internal proxy which takes care of the "routing"

>I've first tried to place the cache server outside the Firewall on our
>external LAN segment, using the http-gw handoff option, which works fine,

Non related question: Do you see any performance issues when the cache is
outside the FW. For example does a fully cached page still get downloaded
full speed or does the FW slow it down?

>Thomas Graff
>European Space Operations Centre
>phone: (+49)-6151-90-2996
>FAX: (+49)-6151-90-3503
>Email: tgraff@esoc.esa.de

Marc
---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: marc.van.selm@nc3a.nato.int
---------------------------------------------------------------------
Private: selm@cistron.nl, selm@het.net, http://www.cistron.nl/~selm
Received on Mon Oct 20 1997 - 23:32:59 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:18 MST